Post on 03-Feb-2023
arX
iv:2
107.
1046
7v2
[cs
.CR
] 1
1 O
ct 2
021
Improving Blockchain Consistency by Assigning Weights to
Random Blocks
Qing Zhang*, Xueping Gong*, Huizhong Li‡, Hao Wu‡, and Jiheng Zhang†
*†Department of Industrial Engineering and Decision Analytics†Department of Mathematics
*†The Hong Kong University of Science and Technology‡WeBank Co., Ltd.
October 12, 2021
Abstract
Blockchains based on the celebrated Nakamoto consensus protocol have shown promise in
several applications, including cryptocurrencies. However, these blockchains have inherent scal-
ability limits caused by the protocol’s consensus properties. In particular, the consistency prop-
erty demonstrates a tight trade-off between block production speed and the system’s security
in terms of resisting adversarial attacks. This paper proposes a novel method, Ironclad, that
improves blockchain consistency bound by assigning a different weight to randomly selected
blocks. We apply our method to the original Nakamoto protocol and rigorously prove that such
a combination can improve the consistency bound significantly by analyzing the fundamental
consensus properties. Such an improvement enables a much faster block production rate than
the original Nakamoto protocol under the same security guarantee with the same proportion of
malicious mining power (see Figure 1).
1 Introduction
In 2008, Satoshi Nakamoto [20] proposed the celebrated Nakamoto protocol, which uses proofs of
work (PoW) to solve consensus problems in distributed systems. Such a protocol is permissionless
since any party can participate in building such a blockchain by solving cryptographic puzzles and
broadcasting valid blocks via a peer-to-peer network. The Nakamoto consensus protocol is proven
to be highly secure as it has been widely used in applications such as cryptocurrencies in the past
decade.
However, Nakamoto consensus by design has a tight trade-off between throughput and security,
preventing its blockchain systems from being scaled up for a broader range of applications. It is
well known that Bitcoin suffers from low throughput, measured by transactions per second, and
long latency since the average time between two blocks is ten minutes. Such problems cannot be
*Equal contributions.
1
solved by simply increasing the speed of producing blocks because of the network delay and the
adversary.
The scalability of blockchain systems based on the Nakamoto protocol is essentially limited by
the protocol’s fundamental properties, namely the agreement among honest parties, the growth
rate of the longest chain, the proportion of blocks mined by honest parties [8, 24, 9, 14]. The
agreement among honest parties, referred to as consistency, is the most crucial one because the
consistency bound captures the security threshold of the system [6, 9]. Therefore, improving the
consistency bound allows us to increase the speed of producing blocks while tolerating the same
proportion of adversarial mining power.
To analyze the consistency, the original Nakamoto paper [20] uses a simple random walk model
to show that the probability of building a fork to exceed the longest chain drops with exponential
rate. However, the analysis does not consider other attacks where the adversary can confuse the
honest parties and consequently divide the computational power owned by honest parties. The
paper [8] provides the first rigorous study that uses the common prefix to model and analyze the
consistency in the synchronous setting. Later, [24] proposes a different model to establish the
consistency bound in networks with delay upper bound ∆. For such ∆-synchronous networks, [14]
tightens the bound based on a Markov model; [27] adopts a Poisson model to obtain the consistency
condition; [9] leverages the margin analysis and random walk to establish a tight consistency bound,
and [6] uses a different tree model analysis to obtain the same bound.
Many recent research efforts have committed to designing effective protocols to improve through-
put based on the Nakamoto consensus. As summarized in the survey papers [3, 35], some proto-
cols exploit blocks that are not on the main chain, achieving higher transaction processing rates
[31, 11, 30]; some protocols replace the original chain structures with a Directed Acyclic Graph
(DAG) or parallel chains consisting of concurrent chain instances [34, 10, 17, 2, 36, 19]; off-chain
approaches [25] allow parties to execute transactions off the main chain consensus and only submit
the final state to the blockchain. In addition to the methods above, some recent works propose the
decoupled consensus [22, 2, 7, 28, 10] that separates the storage and consensus functions of a block
to allow a higher rate of generating blocks that are only related to transactions. Despite the novelty
behinds these new designs, we note that many of them still rely on the original Nakamoto consensus
without any fundamental improvement on the consistency. For example, the DAG structure in [10]
is a convergence structure that relies on a Nakamoto chain (consisting of higher difficulty blocks)
to build the global ledger.
Our approach. In this paper, instead of developing new protocols, we aim to improve the consis-
tency bound of the original Nakamoto consensus. Note that the original Nakamoto protocol treats
all valid blocks equally for both consensus and information storage. As an upgrade, we randomly
choose some valid blocks to be iron blocks with probability q. To differentiate, we call the unchosen
valid blocks regular blocks. The key is to let the two types of blocks play roles of differentiated
importance in the process of reaching consensus. To this end, we introduce the concept of weight
and assign regular blocks weight 1 and iron blocks a larger weight θ > 1. The weight of a chain is
defined to be the sum of the weights of all blocks (iron or regular) on this chain. Such an upgrade
requires a very minimal change of the original Nakamoto protocol since what an honest party needs
to do is to “stick” with the heaviest chain instead of the longest chain. We call our method Ironclad,
which is characterized by the weight and randomness parameters (θ, q).
2
Efficacy. Such a small change turns out to be an effective modification of the Nakamoto consensus
protocol that can achieve a great improvement on the consistency bound. To demonstrate the
efficacy, Figure 1 shows a comparison of the regions where the consistency property holds in terms
of the fraction of mining power ρ owned by the adversary and the blocktime c normalized by
the network delay bound ∆. The larger the area under the curve, the better the consistency
bound, because for the same block production speed, Nakamoto consensus combined with Ironclad
can tolerate a larger adversarial fraction; for the same adversary fraction, our method allows a
much higher speed of producing blocks. The improvement is especially significant when blocks
are produced at high speed (small c), which is in great need in practice. Furthermore, numerical
results in Section 5 demonstrate that in addition to the consistency, our method also improves
other fundamental consensus properties such as chain quality and confirmation time.
1100
150
110
14
12
1 2 4 10 50 1000
18
14
38
12
c (blocktime normalized by network delay ∆)
ρ(A
dversaryfraction
)
Nakamoto+Ironclad
Nakamoto [9, 6]
Nakamoto [14]
Fig. 1: Minimum percentage of computing power the adversary must control in order to break consistency.We compare the consistency bounds of Nakamoto from [14, 9, 6] with the consistency bound ofNakamoto+Ironclad established in Theorem 3.1 with q = 0.02 and θ = 500. The network delay ∆ = 1013
and total mining rate p = 1
c∆.
Intuition. With a large weight θ, an iron block mined by an honest party can easily beat other
competing regular blocks to be accepted by all honest parties, and consequently reduce the waste of
honest mining power caused by forks. The adversary does not benefit from iron blocks in the same
way as the honest parties do. When the adversary get an iron block, if he broadcasts it immediately,
then forks will end as in the previous case; if withholds it for breaking agreement later, such leading
weights will be exceeded by the heaviest honest chain due to honest majority. However, a too-large
weight parameter θ will take too long for block confirmation, forming a trade-off between the
confirmation time and the consistency bound illustrated in Section 4. The randomness parameter q
controls the frequency of iron blocks, which could be optimized to minimize the side effects of θ. In
Section 4.1, we provide principles to choose parameters (θ, q) by solving an optimization problem.
Methodology. We rigorously prove that our method can significantly improve the consistency
bound of Nakamoto consensus. We model the mining process by adopting the formal language
theory and borrowing the concept of characteristic strings in [9]. We make a more precise approx-
3
imation of the Poisson process to describe block production. [13] uses a graph-theoretic tool to
describe forks in the blockchain system, and then [9] introduces the concept called ∆-fork based
on the tool. We adopt these tools to our method with two types of blocks. Then, we lever-
age the semi-Markov chain and concentration inequalities to analyze the consistency and liveness
properties of Nakamoto+Ironclad. Compared with the result in [14], our analysis establishes a
more rigorous characterization of state transitions for the more general model induced by Ironclad.
We build a two-dimensional random walk model to analyze the consensus attack and prove that
Nakamoto+Ironclad can outperform the Nakamoto protocol in terms of expected adversarial fork
length.
Main contributions. The contributions of this work can be summarized as the following.
1. We propose Ironclad, an effective and simple stochastic method to improve the blockchain
consistency bound.
2. We apply our method to the original Nakamoto protocol and rigorously prove that such
combination can improve the consistency bound significantly.
3. Furthermore, we provide principles to choose proper parameters of Ironclad by analyzing the
trade-off between the consistency bound and the confirmation time and optimizing tolerance
to the adversary.
4. We apply our method to parallel chains and show the efficacy in the numerical experiments.
We also discuss the potential extension to other Nakamoto-based protocols.
Outline. In Section 2, we introduce the basic setting and related concepts describing the proposed
method. In Section 3, we first build a semi-Markov model to analyze the impact of our method
on system consensus. Moreover, we prove that our method enhances consensus for any non-trivial
randomness parameter q ∈ (0, 1) and θ > 1. Additionally, we discuss the selection of relevant
parameters in our approach. We also show that the upgraded protocol satisfies chain growth and
chain quality. In Section 4, a random walk model is built to analyze attacks in a detailed way.
Finally, we apply our idea to Nakamoto protocol and parallel chains in Section 5, and obtain
convincing simulation data to verify our conclusion. We review literatures and discuss potential
combinations with our method in Section 6.
Notations. To facilitate the description of our model, we first present a set of notations. For a
natural number n, [n] denotes the set 1, 2, · · · , n. An indicator function of an event E is denoted
by 1E. Let Σ be an alphabet containing several symbols, e.g., Σ = 0, a,A, h,H. Denote Σn as
the set of all strings consisting of symbols in Σ with length n and Σ∗ = Σ0∪Σ1∪· · ·∪Σn∪· · · as the
set of all such strings of any length. For any string w, denote |w| its length. A language is a subset of
Σ∗ and the concatenation of two languages L1 and L2 is denoted by L1||L2 = ww′|w ∈ L1, w
′ ∈ L2
where ww′ is the concatenation of two strings. In some cases, we are also interested in the slice of
a string w = w1w2 · · · , where wi is the i-th symbol in w. Denote ws:t = wsws+1 · · ·wt as the slice
of w from position s to t.
4
2 Problem Formulations
We consider a ∆-synchronous, slot-based and permissionless network model. A blockchain system
is maintained by a number of parties, including the honest and the adversary. Honest parties carry
out the specified protocol, while the adversary may diverge arbitrarily from the specifications. More
precisely, honest parties keep a copy of their current view of the blockchain, try to mine blocks at the
end of their chain, and broadcast the result to all other parties immediately. Adversarial parties can
observe messages as soon as it is sent. They can delay and reorder all messages received by honest
parties up to a delay of ∆ time slots. All parties actively engage in searching for “proofs-of-work”
(PoWs) by accessing a random oracle.
We combine our method with the original Nakamoto protocol [8, 24, 14, 9] by randomly selecting
blocks to be iron blocks and assigning weights to them. To this end, we introduce the concept of
weight and assign regular blocks weight 1 and iron blocks a larger weight θ > 1. The weight of
a chain is defined to be the sum of the weights of all blocks (iron or regular) on this chain (see
Equation (1)) . Such an upgrade requires a very minimal change of the original Nakamoto protocol
since what each honest party needs to do is to “stick” with the heaviest chain instead of the longest
chain.
2.1 Characteristic String
For the purposes of analysis, we discretize the continuous timeline into time slots indexed by natural
numbers. In order to analyze the dynamics of block production given the presence of the adversary
and network delay, we adopt the models from [9, 13] and extend the analysis to our case with two
types of blocks. We use a characteristic symbol to indicate whether a proof-of-work is discovered
in a particular time slot, and whether the successful party is honest or adversarial. A symbol from
the alphabets 0, h,H and 0, a,A indicates the mining outcome in each time slot by the honest
parties and the adversary, respectively. Specifically, 0 means no block produced, h, a means a
regular block, and H,A means an iron block. A sequence of symbols in 0, h,H and 0, a,A
consists of a characteristic string for honest and adversarial parties, respectively.
The probability that more than one block can be produced in a time slot diminishes as the
discretization of the continuous timeline becomes finer. Thus, we can exclude such an event and
assume that at most one block can be produced in each time slot [14, 9]. Let p be the probability
of obtaining a block in a time slot and ρ be the adversarial fraction of total mining power. Then we
define ph := (1− ρ)p and pa := ρp to be the probabilities of obtaining a block in a time slot by the
honest parties and the adversary, respectively, and q to be the probability for a newly mined block
to be an iron block. It is clear that for any given ph, pa, q, each symbol in honest characteristic
strings is independently drawn according to
wt =
h, with probability (1− q)ph,
H, with probability qph,
0, with probability 1− ph.
Similarly, each symbol in the adversary characteristic string w′1w
′2 · · · ∈ 0, a,A
∗ is independently
5
drawn according to
w′t =
a, with probability (1− q)pa,
A, with probability qpa,
0, with probability 1− pa.
Note that blocks discovered by the honest parties and the adversary are mutually exclusive
in [9], while the behaviors of the two parties are independent in our model, closer modeling to
reality. Therefore, it is possible to have at most two blocks (one from the honest and one from the
adversary) in a time slot.
Remark 2.1 The selection of iron blocks requires the consensus guarantee, which means that any-
one is able to verify the validity of iron blocks. In general, verifiable random variables (e.g., block
hash) with a known distribution can satisfy the requirement. We provide several methods that are
widely used and easy to implement. A classical and natural way is to set difficulty targets and
compare them with block hashes, which is introduced by Bitcoin[20] and widely used in literature
[12, 36, 2]. A direct extension is rehashing via a new independent random oracle. As introduced
by [8], 2-for-1 trick can also be used to differentiate blocks: the prefix of a block hash determines
whether the mining is successful, and the suffix is used to determine block types [22].
2.2 Blockchain Structure and Our Goals
Since all valid blocks form a directed rooted tree F = (V,E), where V is the set of vertices (blocks)
and E, it is also important to characterize the graphic structure of regular blocks and iron blocks.
For any vertex B ∈ V , define depth(B) to be the length of the shortest path from the root to B.
We define a label function lb : V → 0, 1, 2, . . . to map a block B ∈ V to the time slot when it was
produced. A block B is honest if it is mined by an honest party, and adversarial otherwise. Using
the notation of characteristic string and label function., if block B is honest then wlb(B) ∈ h,H.
However, there may exist an adversarial block B′ produced in the same time slot, i.e., lb(B′) = lb(B)
but wlb(B) ∈ a,A. The tool to analyze the graphic structure originates from [13]. [24] consider
the delay in a tree-based model and [9] systematically describe the ∆-fork via characteristic strings.
We reflect network delays with a single parameter ∆: while any message sent by honest parties will
be delivered, the adversary may delay its arrival by up to ∆ time slots. We modify the definition
of ∆-fork in our model for the purpose of analyzing Ironclad.
Definition 2.1 (∆-fork) A PoW ∆-fork for the honest string w ∈ 0, h,H∗ and the adversarial
string w′ ∈ 0, a,A∗ with equal length is a directed rooted tree F = (V,E) satisfying the following
axioms:
A1. The root r, which has label lb(r) = 0, is honest.
A2. The sequence of labels lb(·) along any directed path is increasing.
A3. If wt ∈ h,H and w′t = 0 then there is exactly one block with label t. If wt ∈ h,H and
w′t ∈ a,A then there exists at least one block with label t.
A4. For any two honest blocks B1 and B2 with lb(B1) + ∆ ≤ lb(B2), we have depth(B1) ≤
depth(B2).
6
Remark 2.2 A.1 rules out the trivial case where the honest miners and the adversary mine blocks
in two completely different blockchains. A.2 excludes the event of collisions, which has been proven
to have negligible probability [8]. It can be inferred from A.3 that there are at most two blocks with
the same label. And if two blocks in F have the same label t, then one must be wt ∈ h,H and
the other must be w′t ∈ a,A. This echos our model that honest parties and the adversary produce
blocks independently instead of exclusively. A.4 means that all honest parties will take into account
any honest block produced ∆ (upper bound of network delay) time ago due to sufficient time for
network propagation.
Denote the collection of all ∆-forks for (w,w′) as F∆(w,w′). A path C in a fork F ∈ F∆(w,w
′)
originating at the root is called a chain. If the last block in C is honest, then C is an honest chain,
indicating that C will be held by at least one honest party. Define
W(C) =∑
B∈C
1B is a regular block + θ1B is an iron block (1)
to be the sum of the weights of all blocks in C. Note that in the original Nakamoto protocol, the
W(C) degenerates to be the number of blocks in the chain C since all blocks have the same weight.
Ironclad requires honest parties to mine a new block extending the heaviest chain in a ∆-fork F ,
whose weight is defined to be the weight of its heaviest chain, i.e.,
W(F ) = maxC⊂FW(C). (2)
Definition 2.2 (Honest Subfork) A subfork F ′ ⊂ F ∈ F∆(w,w′) is honest if all the leaves of
F ′ are honest. The honest subfork with the most blocks in F is the maximal honest subfork, denoted
as F .
In many cases, we are interested in the chains and forks up to time slot t. We add subscripts
t to chains and forks to emphasize that they are created by the time slot t. Intuitively, Ft and Ctare “snapshots” of forks and chains at time t. For example, Ft is an element in F∆(w1:t, w
′1:t), and
Ct ⊂ Ft. In order to take the delay ∆ into consideration, we need to remove the most recent ∆
time slots from time t. For example, the ∆-fork Ft without considering the latest ∆ time slots can
be represented by Ft−∆. We define Ct ⊂ Ft to be a dominant chain in the fork Ft if
W(Ct) ≥ W(Ft−∆).
A dominant chain is a candidate for honest parties to follow due to the delay because no chain held
by honest parties at time slot t−∆ is heavier than it.
We now provide an example depicted in Figure 2 to illustrate the concepts defined above. The
fork F8 exclude the block labeled 9 and the fork F8−∆ exclude the block labeled 7. The block
labeled 5 is not in the maximal honest subfork F8−∆, since it is adversarial. For the dominant
chains, we have C7 = C8 ⊂ C9. Dominant chains in F9 are 0← 1← 4← 7← 9 and 0← 1← 4← 7,
where the numbers are labels of corresponding blocks.
Based on previous formulations, we study the two properties: consistency and liveness, originally
formulated in [8], when combining Ironclad with original Nakamoto consensus. We first introduce
7
adversaryregular
honestregular
honestiron
no. timestamp(label)
0 1 4
2
7
5
9
Fig. 2: The delay ∆ = 2, t = 10, honest string w = hh0H00H0h and adversarial string w′ = 0000a0000.
the definitions of chain prefix [9]: For a chain Ct and a natural number k, Ct−k is the chain obtained
by removing from Ct all blocks minded from slots t − k + 1, . . . , t. When t ≤ k, define Ct1−k as
the genesis. Define C′t′ Ct iff C′t′ = Ct−k for some k, and we say C′t′ is a prefix of Ct.
Definition 2.3 (Consistency) For a ∆-fork Ft, there exists a time interval parameter k such
that for any slot t1 < t2, and dominant chains Ct1 and Ct2 both held by honest parties, Ct1−k Ct2with probability 1− exp(−Ω(k)).
Definition 2.4 (Liveness) For any slots t1, t2 with t1+u ≤ t2, and any dominant chain Ct2 ⊂ Ft2 ,
there exists an honest chain Ct Ct2 for t1 ≤ t ≤ t1 + u with probability 1− exp(−Ω(u)).
Intuitively, consistency means that honest parties will all agree upon a chain among all the
blocks that have been fully synchronized, i.e., produced ∆ time slots ago, with large probabilities.
Liveness guarantees that the blockchain held by an honest party incorporates at least one fresh
honest block over any period of u slots.
3 Analysis on Blockchain Properties
Consistency is the most crucial property as it guarantees that all honest parties agree on a chain
except for the blocks produced in the latest k time slots. In Section 3.1, we analyze the consistency
of Nakamoto protocol equipped with Ironclad using a semi-Markov framework. We compare our
consistency bound with the result for the original Nakamoto protocol which is established in [14, 9,
6]. Consistency also demonstrates a tight trade-off between security and throughput. In Section 4.1,
we discuss the selection of parameters in our method to optimizing the tolerance ratio for the
adversary mining power. Moreover, we also study three interesting properties of our approach, and
validate them by simulation data. Finally, we quantify the chain growth rate and chain quality,
which describes the blockchain system in a different view. We combine the three chain properties
to prove the liveness property in Section 3.2.
3.1 Consistency
We analyze the state transitions caused by four characteristic patterns in our proposed semi-Markov
chain model. The analysis relies on “patterns” that can guarantee the convergence of all honest
chains if there is no attack from the adversary. For example, the pattern 0∆h0∆ means
that no two honest blocks produced within the synchronization delay bound [8, 24, 14]. Such a
pattern is conservative for establishing consistency but reasonable because they consider the worst
8
cases due to the delay. When such a pattern occurs, the chains kept by honest parties have an
opportunity to converge. To ruin this opportunity, the adversary must have a chain that is at
least as long as the longest chain of honest parties. This requires the adversary to have enough
computing power to produce more blocks than the occurrence number of such patterns, which has
a very small probability due to the honest majority assumption. To obtain a proper bound for
the adversarial mining power tolerance, we introduce a new random variable α (see Lemma 3.1) to
measure the minimal adversarial mining power requirement to prevent honest parties from reaching
an agreement.
Definition 3.1 (Characteristic Patterns) For a characteristic string w ∈ h,H, 0∗, consider
the decomposition w = σ(1)σ(2) · · · where σ(i) belongs to one of four patterns defined below:
• σ1 : h||0k , k < ∆, corresponding to the case where two honest regular blocks are mined
within an interval smaller than the delay, which may cause forks.
• σ2 : h||0k , k ≥ ∆, corresponding to the case where an honest regular block is mined
without a competing block within ∆ time slots.
• σ3 : H||0, hk , k ≤ ∆, similar to σ1, the fork is caused by iron blocks.
• σ4 : H||0, h∆ ||0∗, similar to σ2, an iron block has no other competing iron blocks within
∆ time slots.
Remark 3.1 To guarantee that the iron block in σ4 can beat competing regular blocks (if any), we
require that θ should be larger than the number of regular blocks mined in 2∆ time slots with high
probability, which induces a lower bound of θ, see Lemma 3.3 and Equation (7).
Patterns σ1 and σ3 represent the cases where another block is produced too soon (within syn-
chronization delay) after an honest block (regular or iron). Conversely, patterns σ2 and σ4 represent
the cases where no honest block and no iron block is mined within ∆ time slots after an honest reg-
ular block and an honest iron block, respectively. Let a characteristic string w ∈ h,H, 0∗ starting
with H or h. Following the greedy pattern matching principle, the decomposition of w into the
above four patterns in Definition 3.1 uniquely exists. We omit the proof since it is straightforward.
We can explicitly calculate the occurrence probability and expected length since each symbol is
drawn independently from an identical multinomial distribution. For notation brevity, define the
probability for two types of blocks:
qa = (1− q)pa, qA = qpa, qh = (1− q)ph, qH = qph.
The probability of the occurrence and the expected length of σi can be easily calculated as
P(σ1) = qh[1− (1− ph)∆], E[|σ1|] =
1ph− ∆(1−ph)
∆
1−(1−ph)∆,
P(σ2) = qh(1− ph)∆, E[|σ2|] =
1ph
+∆,
P(σ3) = qH [1− (1− qH)∆], E[|σ3|] =1qH− ∆(1−qH )∆
1−(1−qH )∆,
P(σ4) = qH(1− qH)∆, E[|σ4|] =1ph
+∆.
9
Analysis of the Semi-Markov Chain. We define three Markov states based on the four patterns
defined above to capture the evolution of the blocks. State S0 is visited whenever patterns σ2 or
σ4 occurs, which means that honest parties have a chance to agree on the heaviest chain. States
S1 and S2 correspond to σ1 and σ3, respectively. In these two states, honest parties are very likely
to suffer from forks due to the network delay, even in the absence of the adversary. The transition
graph is shown in Figure 3. Each edge corresponds to the pattern that causes the transition. The
transition probability from state Si to Sj is denoted as Pij .
S1 S2
S0
σ2, σ4
σ1
σ3σ2, σ4
σ1
σ3
σ4
σ3
Fig. 3: The state transition diagram. For example, if the system is at S0 and a pattern σ3 occurs, then theMarkov chain will transit into S1.
Proposition 3.1 (Markovian Property) The blockchain system shown in Figure 3 is a semi-
Markov chain, and its embedded Markov chain is ergodic. The transition probabilities are
P00 =P(σ2)+P(σ4)
ph, P01 =
P(σ1)ph
, P02 =P(σ3)ph
,
P10 =P(σ2)+P(σ4)
ph, P11 =
P(σ1)ph
, P12 =P(σ3)ph
,
P20 =P(σ4)qH
, P21 = 0, P22 =P(σ3)qH
.
(3)
Proof. The blockchain system makes a state transition whenever a pattern occurs. Therefore, we
can regard each pattern as one step. Given the present state, the next state is independent of history
and only depends on the present state. Hence, it satisfies the Markovian property. Obviously, the
chain is irreducible and the three states are positive recurrent. Since the transition time between
any two states is random, the blockchain system is a semi-Markov chain and the embedded Markov
chain is ergodic.
The transition probabilities between two states are proportional to the pattern occurrence prob-
abilities corresponding with the edge between two states. From Figure 3, the transition probability
in Equation (3) can be computed by conditional probabilities. For example, the transition S0 → S1
happens when an honest block is mined and this block constitutes a pattern σ1 with the following
‘0’ symbols less than ∆. Therefore, P01 is the conditional probability of pattern σ1 occurrence
when an honest block was mined and the system was at S0. Other transition probabilities can be
interpreted similarly.
10
Compared with the Markov model in [14], our model extends it in two aspects:
• We explicitly provide more precise definitions of states and transition events. The transition
time between states depends on the length of patterns that are not “memoryless” random
variables, namely, how long the system has stayed in its current state.
• To characterize the effect of iron blocks, we add a new state S2 that is not symmetric with
respect to S1 due to the large weight of iron blocks.
State Transitions and Consistency. We first provide three scenarios where honest parties
have a chance to converge, and what it takes for the adversary to break the convergence. Our proof
will be based on analyzing the probability of these scenarios and the requirement of the adversary.
Figures 4 to 6 share the same legends for the types of blocks, and the block with dashed edges on
the left end is the one that all honest parties agree on and follow. The numbers in each block are
the labels defined in Section 2.2, i.e., the time slots when these blocks are created.
adversaryregular
adversaryiron
honestregular
honestiron
1 4
2
7
5
4
S0 S1 S1 S0
σ1 σ1 σ4
Fig. 4: The convergence due to an honest iron block. The ∆-fork is based on w = · · ·hh0Hh0H with∆ = 2, θ = 4.
The first scenario, illustrated in Figure 4, shows the convergence due to an honest iron block.
Before time slot 7, there is a competition between honest block 5 and honest block 4 due to the
network delay ∆ = 2. At time slot 7, the honest iron block 4, which has been received by all honest
parties, beats the regular block 5 due to its larger weight. In the semi-Markov chain model, it is
the state transition S1σ4−→ S0 that finalizes the competition of the two honest fork chains 1 ← 4
and 2← 5. In this event, to prevent the convergence, the adversary needs to publish blocks with at
least θ weights (e.g., the adversary block 4 in the graph) before time slot 7. Otherwise, all honest
parties will follow the heaviest chain 1← 4← 7 at time slot 7. So we can conclude that whenever
the event S1σ4−→ S0 happens, the adversary needs to publish blocks with at least θ weights to break
the consistency. Thus, the frequency of the occurrence of such a pattern will induce a minimum
requirement of the adversary mining power in order to break consistency.
The second scenario, illustrated in Figure 5, shows the convergence due to an honest regular
block followed by a silence period longer than the delay bound. By time slot 7, if the adversary
does not publish a regular block (e.g., block 6), all honest parties will agree on the chain containing
block 5, because no other blocks compete with the block 5 in the following ∆ time slots. Such a
situation, characterized by the event S0σ2−→ S0, requires 1 weight from the adversary to break the
consistency.
11
1
2
3 5 7
6
S0 S2 S0 S0
σ3 σ4 σ2
Fig. 5: The convergence due to an honest regular block followed by a silent period longer than delay bound.The ∆-fork based on w = · · ·HHh0h0h with delay ∆ = 1, θ = 4.
The third scenario is quite similar to the second one. If we replace the regular block 5 in Figure 5
with an iron block, which is characterized by S0σ4−→ S0 instead of S0
σ2−→ S0, all honest parties will
agree on the chain containing block 5. The only difference is that it takes the adversary θ weight
to break the consistency.
1
2
3
5
8
S0 S2 S0 S0
σ3 σ4 σ2
Fig. 6: Illustration of failure of the event S2
σ4−→ S0
σ2−→ S0 in leading to agreement. The ∆-fork is based onw = · · ·HHh0h00h with delay ∆ = 2, θ = 4. At a time slot 8, the two fork chains are still competing, even
though the system just finishes the transition S0
σ2−→ S0.
Although the above three scenarios suffice for our proof, we provide a carefully constructed
scenario, among many scenarios where honest parties cannot reach an agreement, to illustrate the
intricacies. We can say that the second scenario is characterized by S0σ2−→ S0. However, we cannot
say that S0σ2−→ S0 must fall into the second scenario. Figure 6 depicts an example, which can be
characterized in the same way as the second scenario (S0σ3−→ S2
σ4−→ S0σ2−→ S0) in the semi-Markov
model. In this example, honest parties fail to converge even in the absence of the adversary. At
time slot 2, two iron blocks compete with each other. The newly mined regular block 3 does not
finalize the competition since there is no sufficiently long silent period afterward for synchronization.
Hence, regular blocks 5 and 8, produced by honest parties, append after different (honest) chains
due to network delay. During the whole period, honest parties cannot reach an agreement on the
heaviest chain at any time. This case shows that unlike the transitions S0σ4−→ S0 and S1
σ4−→ S0
(corresponding to the first and the third scenarios), transition S0σ2−→ S0 needs to be analyzed
carefully.
Adversary Mining Power Requirement. Combining all the above-discussed state transition
scenarios, we can obtain the mining power requirement for adversary parties to break consistency.
It is a minimal requirement since we always consider the worst cases for honest parties and ideal
cases for the adversary. Our analysis depends on counting the agreement blocks defined to be those
which beat other competing blocks (if any) and thus are accepted by all honest parties (e.g., iron
block 4 in Figure 4, regular block 5 in Figure 5).
12
Consider a period with length L. We define αL as the total weights of the agreement blocks
divided by L, which is also the mining power requirement for the adversary during this period to
break convergence. Let #LE be the counter of the occurrence of the event E in the given period.
As explained in the above scenarios, once the event S0σ2−→ S0 with the previous state not at S2
happens, the adversary needs to produce blocks with at least 1 weight. In the events S0σ4−→ S0
or S1σ4−→ S0, the adversary needs to produce blocks with at least θ weights. Thus, αL can be
expressed as
αL = 1L
[
#L(S0σ2−→ S0)−#L(S2
σ4−→ S0σ2−→ S0) + θ(#L(S0
σ4−→ S0) + #L(S1σ4−→ S0))
]
.
For example, α7 = θ7 in Figure 4, because the transition S1
σ4−→ S0 requires θ weights in L = 7
time slots. In Figure 5, α7 = θ+17 , since the transitions S0
σ2−→ S0 and S0σ4−→ S0 produce 1 and θ
weight(s), respectively.
It is not tractable to analyze αL for a fixed L precisely to obtain a closed-form expression.
Fortunately, using renewal theory and strong law of large numbers, we can show that αL converges
almost surely to a constant α, which is the long-run lower bound of minimal required mining power
for the adversary. The proof of the following lemma is in Appendix .2.3.
Lemma 3.1 The minimal mining power requirement α := limL→∞
αL is well-defined and it can be
calculated as
α =π0P00P(σ2)
[P(σ2) + P(σ4)]∑2
i=0 πiµi
(
1−π2P20
∑2i=0 πiPi0
)
+ θπ0P00P(σ4) + π1P10P(σ4)
[P(σ2) + P(σ4)]∑2
i=0 πiµi
,
where πi and µi are the stationary distribution of the embedded Markov chain and the expected time
spent in state Si before making a transition, respectively. The exact expression of α is
α = 1ph
[
(1− qH)∆(q2h(1− ph)2∆ + qHqh(1− ph)
∆(1− qH)∆ + θphqH(1− qH)∆)]
. (4)
We use concentration inequalities to measure the deviation |αL − α|. Intuitively, the time
for transitions between states is a sub-exponential random variable, so the tail probability of the
transition time deviating from its expectation has an exponential decay. Such concentration bounds
enable us to establish that over a long time period, the probability that the αL deviates from its
limit will be exponentially small in the deviation size.
Lemma 3.2 For a given period L with at least one honest block, the probability of underestimating
the minimal mining power requirement, namely, αL < (1 − δ)α, is negligible for sufficiently large
time L.
We defer the proof to Appendix .2.4. Due to the dominated convergence theorem, E[αL] → α
as L goes to infinity. The asymptotic result is the best that we can obtain since E[αL] differs for
different L, e.g., for L < ∆, αL ≡ 0. Although the sub-gaussian property holds for the random
variable αL, we can only obtain a sub-exponential tail probability of the deviation |αL−α| because
the time spent on each edge is a sub-exponential random variable. This lemma shows that we can
use Lα to approximate the weights of agreement blocks produced by honest parties in the given L
slots.
13
Theorem 3.1 (Consistency) The Ironclad protocol satisfies the consistency if there exists δ > 0
such that
α ≥ (1 + δ)β, (5)
where β = qa + θqA.
Proof. If there exists a δ > 0 satisfying the requirement, there will be a mining power gap between
honest parties and the adversary. According to Lemma 3.1, the heaviest honest chain has a higher
weight growth rate than the adversary. When the leading weights of the heaviest honest chain
are θ, then at least one agreement block is produced by honest parties, and the adversary fails
to announce blocks with equal weights to break consistency. Therefore, the consistency property
holds for k > θα−β with high probability according to Lemma 3.2.
Intuitively, β is the maximal rate of block weights that the adversary can produce. When
β > α, the adversary can break the consistency by announcing blocks with enough weights with
high probability whenever the transitions S0σ2−→ S0, S0
σ4−→ S0 and S1σ4−→ S0 happen.
Comparison with Nakamoto’s Consistency. To show the improvement brought by our method
on the consistency bound, we theoretically compare minimal mining power requirements for the
adversary to break consensus in the Nakamoto protocol with and without Ironclad. It suffices to
only compare with the original Nakamoto protocol because many PoW-based protocols are derived
from it, and the improvement can potentially be carried over to other Nakamoto variants as we will
discuss in Section 6.
Since the original Nakamoto protocol can be viewed as a special case of Ironclad with the
probability of iron blocks set to be 0, we can calculate the minimal mining power requirement for
Nakamoto by plugging q = 0 into Equation (4) to get α0 = ph(1 − ph)2∆. Note that [14] provides
almost the same consistency bound as α0 by considering the model with a slightly different pattern
decomposition. The bound [14], essentially α0, serves as a good benchmark because it provides
a precise expression of Nakamoto consistency bound, and it is comparable with our result in the
same theoretical framework.
We define a relative performance R = α/(θq+1−q)α0/1
to compare the minimal mining power require-
ment (normalized by the mean of block weight) for the adversary to break consensus in Nakamoto
consensus with and without Ironclad. To show the improvement when using Ironclad, we will show
that R is larger than 1 for a broad range of parameters.
Theorem 3.2 The relative performance ratio R > 1 for all proper parameters:
0 < ph, q < 1, ∆ ≥ 1, θ ≥ maxθ, 1 > 0,
where the lower bound θ for the weight of iron blocks is defined in Equation (7).
We provide a sketch of the proof here. We first treat ph,∆, q as constants and view R as a
function of θ. Then, we show that R is monotonically increasing in θ. Thus, it suffices to show
R > 1 for θ = 1 using the weighted power mean inequality. The full proof with details is in
Appendix .2.6.
Another way to view the consistency bound of the Nakamoto protocol is from [9, 6] which state
14
that consistency holds under the following condition,
1
ph+∆ <
1
pa, (6)
where ph and pa are defined in Section 2.1, representing the honest and adversarial mining rates,
respectively. Note that the fraction of adversarial mining power is ρ = paph+pa
and the block produc-
tion time (in time slots normalized by the delay bound ∆) is c = 1(ph+pa)∆
. Therefore, (6) can be
visualized in Figure 1 (so do our consistency bound (5) and the bound in [14]).
The consistency bound of the original Nakamoto protocol (6) is proven to be tight in [9, 6],
which is intuitive since the LHS of (6) indicates how the network delay affects the honest chain
growth rate in the worst case. If the adversary has a higher mining rate than this “discounted”
honest mining rate, then the system is likely to be insecure since the adversary has enough power
to break the agreement among honest parties.
As depicted in Figure 1, our the consistency bound of Nakamoto+Ironclad outperforms the tight
bound (6) for Nakamoto. It means that our method Ironcladcan go beyond the theoretical limit of
the original Nakamoto protocol. The reason is that our method leads to fundamental improvement
on the consensus by changing the protocol from “longest chain rule” to “heaviest chain rule”.
A Lower Bound of θ. The example in Figure 4 shows how iron blocks lead to consensus by
dominating the competing regular blocks (corresponding to σ4) due to their larger weight. This
outcome requires that θ be larger than the number of competing regular blocks within the preceding
and following ∆ time slots at creating such an iron block (corresponding to σ4). Hence a naive lower
bound is 2∆, which is too large in practice. The weight parameter θ, jointly with the randomness
parameter q, should be a hyperparameter to allow different choices and optimization. We can trade
off the value of θ and the requirement holding probability. We first construct the upper confidence
bound of the number of regular blocks in σ4.
Lemma 3.3 The probability that the number of regular blocks Y in the pattern σ4 exceeding θ
decays exponentially as θ grows. More precisely,
P(Y ≥ θ) ≤ exp
(
−qh∆δ2
(1− qH)(2 + δ)
)
,
where δ = (1−qHqh∆
)θ − 1.
See proof in Appendix .2.5.
To satisfy the requirement with probability 1 − ǫ, we can leverage Lemma 3.3 to construct an
lower confidence bound of θ as
θ :=2qh∆
1− qH− ln ǫ+
√
(ln ǫ)2 −8qh∆
1− qHln ǫ. (7)
In [24, 14], ph = 10−13, ∆ = 1013 time slots, which corresponds to the case where the average
time between two honest blocks is 10 seconds. By setting a significance level ǫ = 10−10, we can get
θ ≥ 51.8, ∀q ∈ (0, 1), which is a mild requirement for θ compared with 2∆.
15
3.2 Liveness
As an essential property of a public ledger, liveness relies on the fundamental chain properties:
chain quality and chain growth, which we establish in this section.
Chain growth indicates the growth rate in terms of the weight of the heaviest honest chain.
Since the heaviest chain may switch as the fork grows, it is necessary to track the weight growth
rate of the ∆-fork instead of a fixed single chain.
Lemma 3.4 (Chain Growth) Given S ∈ [L], t ∈ [L − S] and a ∆-fork FL ∈ F∆(w1:L, w′1:L)
over a lifetime of L slots, for any δ > 0, the weight growth of the fork W(Ft+S−∆) −W(Ft−∆) is
at least (1− δ)Sph1−q+qθ1+ph∆
with probability 1− exp(−Ω(Sδ2)).
The proof is in Appendix .3.1, and we provide a brief sketch here. At time t, the honest parties
hold chains in Ft with cumulative weights at least W(Ft−∆). Therefore, W(Ft+S−∆) −W(Ft−∆)
measures the minimum growth of cumulative weights during S time slots, which is characterized
by parameter g = ph(1−q+qθ)1+ph∆
.
Lemma 3.5 (Chain Quality) For a given period with L time slots, let Ft ∈ F(w1:t, w′1:t) with
corresponding characteristic string |w| = |w′| = L and ∆ ≤ t ≤ L. For all dominant chains
Ct−∆ ⊂ Ft−∆ such that W(Ct−∆) =W(Ft−∆) = D, and all chain segments S ⊂ Ct−∆ such that the
first block of S is discovered by honest parties and the last block is the head of Ct−∆, the weights
contributed by honest blocks in S is at least 1−(1+δ)D( paph +pa∆) with probability 1−exp(−Ω(δ2D)).
Chain quality is the fraction of the honest weight in the heaviest honest chain. Our method
Ironclad guarantees the chain quality to be above the fraction f = 1− (1+ δ)( paph +pa∆). The proof
is deferred to Appendix .3.2.
It is now straightforward to establish the liveness property for Nakamoto consensus equipped
with Ironclad, which is similar to previous works [9, 8, 24, 27]. The intuition is that chain growth
and chain quality guarantee the occurrence of honest blocks in the heaviest chain and consistency,
which we have established in Theorem 3.1, ensures that there exists a time such that honest parties
will agree on the same heaviest chain.
Theorem 3.3 (Liveness) Nakamoto’s protocol equipped with Ironclad satisfies liveness if chain
growth, chain quality and consistency hold.
4 Selection of Parameters
4.1 Optimal q
The parameter q in Ironclad controls the frequency of iron blocks among all valid blocks, which is
flexible by design. According to Theorem 3.1, consistency is satisfied for β < α, or equivalently,
paph
<α
ph(1− q + θq).
To select a reasonable q, we define the tolerance ratio of mining power between the adversary and
honest parties.
16
Definition 4.1 (Tolerance Ratio) The tolerance ratio A is defined as
A =α
ph(1− q + θq).
The analytical expression for the tolerance ratio is shown in Appendix .2.7. In order to deal with
it mathematically, we also derive a close approximation A in Equation (9). We show that A fits A
well in Figure 13. We find three interesting properties of A, which reveals some unique features of
our method.
Theorem 4.1 For any ph, ∆ and θ ≥ max(θ, 1),
1. the maximizer q∗ for A exists in (0, 1);
2. a unique maximizer q∗(θ) of A exists in (0, 1). Moreover, q∗(θ) decreases in θ;
3. the optimal value A∗θ of A for each θ increases in θ.
The intuition of the proof, which is in Appendix .2.8, can be explained using the first chart
in Figure 13. The system consensus benefits (tolerance ratio A increases) from increasing q when
q is small. This is because iron blocks can effectively reduce the forks caused by regular blocks.
However, when q exceeds a certain threshold q∗, A starts to decrease because the competition
among iron blocks themselves becomes the main issue as regular blocks become less.
The unimodality of tolerance ratio in q provides useful insights. If we fix ph, ∆ and θ, there
will exist a non-trivial maximizer q∗ for it. Therefore, we can obtain the optimal q∗ by maximizing
A for each θ, which can be numerically solved. The second chart of Figure 13 illustrates the
corresponding results for specific ph and ∆ in the Ethereum setting. We find a decreasing trend for
q∗ as θ grows, which conforms to our intuition. The approximation result for q∗(θ) also explains
the intuition mathematically. It is obvious that the approximation curve fits the sample points very
well.
The third property is depicted in the third chart of Figure 13. The mining power gap in
the original Nakamoto protocol is ph − pa, and it is scaled up to be (ph − pa)(1 − q + qθ) in
Nakamoto+Ironclad due to the effect of iron blocks, which indicates that the new one can tolerate
more adversarial mining power.
Furthermore, Figure 7 compares theoretical A with numerical simulation. We can observe that
the properties in Theorem 4.1 still hold in simulation. The optimal randomness parameter q with
respect to adversarial tolerance ratio A gradually decreases as θ ascends. It is also observable that
A∗θ grows as θ grows. Compared with simulation data, theoretical results serve as relatively precise
lower bounds for each case. In theory, we always consider the worst cases, while simulation results
are obtained in the sense of average. For example, a pattern ‘hh’ is always assumed to cause a fork
in theory, but it may not cause a fork in reality, because the two blocks may be mined by the same
miner in consecutive time slots.
4.2 Discussion of θ
The choice of θ cannot be analyzed by an optimization formulation due to a tradeoff between θ and
confirmation time. We build a random walk model that can characterize the attack process in the
17
0.02 0.04 0.06 0.08 0.10
0.45
0.5
0.55
0.6
0.65
0.7
0.75
0.8
0.85
0.9
0.95
randomness parameter q
Adversarytolerance
ratioA
θ = 50 in simulationθ = 100 in simulationθ = 200 in simulationθ = 400 in simulation
Fig. 7: The adversary tolerance ratio A in theory and simulation with parameter settings: ph = 3
4∆,
∆ = 1013. The dashed curves with the same colors correspond to theoretical results. The data points arecomputed by using the Definition 4.1, where the values of α are obtained from simulation withcorresponding θ and q. The simulation settings are explained in detail in Section 5.
18
Nakamoto protocol equipped with Ironclad to reveal such a trade-off.
Suppose that the condition of Theorem 3.1 is satisfied, then according to Lemma 3.1, there
exists γ > 0 such that
g = (1 + γ)pa(1− q + qθ), (8)
where g is the chain weight growth rate in Lemma 3.4. We analyze the attack process by studying
the competition between adversarial chains and the heaviest honest chains. Note that the time
interval between any two consecutive blocks is a geometric random variable that is “memoryless”
in our slot-based model. Based on this property, we use a two-dimensional Markov chain to describe
the competition. We use (Xn, Yn) to denote the state at n-th step, representing that the heaviest
honest chain leads the adversarial chain by Xn regular blocks and Yn iron blocks. The initial state
is assumed to be (0, 0) without loss of generality. Whenever honest/adversarial parties produce a
block, the corresponding coordinate will increase/decrease by 1.
Denote q the conditional probability for a block to be an iron block in the honest heaviest chain.
Clearly, it is larger than q. Intuitively, iron blocks can beat competing regular blocks and therefore
have a better chance to be accepted in the heaviest chain. The intuition is also supported by
simulation data in Section 5. As for the adversary, the conditional probability is still q according
to the model assumption. In general, it is intractable in this model to obtain exact theoretical
expressions of q and γ, so we estimate them by using empirical values in simulations without
adversarial attacks. Now we can formulate the state transition probabilities:
(Xn+1, Yn+1) =
(Xn + 1, Yn), w.p. (1+γ)(1−q)2+γ ,
(Xn − 1, Yn), w.p. 1−q2+γ ,
(Xn, Yn + 1), w.p. (1+γ)q2+γ ,
(Xn, Yn − 1), w.p. q2+γ .
We then define the failure rule of attacks, namely, the condition when the adversary gives up the
attack. In [24, 14], the adversary gives up the current attack upon the following situation: (1) the
heaviest chain exceeds the adversarial private chain by at least one block; (2) the adversary does
not mine blocks within the following ∆ time slots; (3) next block is mined by the honest parties.
In this model, we simplify the failure condition by setting a general threshold:
τ = n : Xn + θYn ≥ threshold,
which is the stopping time when the adversary gives up the current attack and starts a new one.
During the random walk, the meaningful message is the distribution of the following statistic:
adversarial fork length =τ∑
n=1
IXn<Xn−1 or Yn<Yn−1.
A longer adversarial fork length leads to a longer confirmation time in applications such as public
ledger.
We resort to the Monte Carlo algorithm to obtain numerical solutions. For each attack, the
Monte Carlo algorithm samples a path from the initial point to a point beyond the area of the plane
(x, y)|x+θy < threshold. For each instance, q is set to be optimal corresponding with each θ (see
19
the detailed setting in Section 5). We repeat the random walk for 1×108 times with the estimators
γ = 0.5 corresponding to the honest mining power ph = 1∆ and adversarial mining power pa = 1
3∆
(i.e., ρ = 14). The original Nakamoto protocol can be treated as a special case when q = q = 0 in
the previous random walk model. The conditional probability q = 0.12, 0.084, 0.065, 0.063, 0.053 for
θ = 100, 200, 300, 400, 500, respectively. We set the threshold to be 2. In this way, we can obtain
the adversarial fork length distribution, thus estimating its mean and the tail probabilities.
The numerical experiments show that as θ grows, the expected adversarial fork length will
also increase, thus inducing a longer confirmation time. Figure 8 depicts that θ cannot be too
large in order to defend against consensus attacks effectively, since otherwise, it will make the
confirmation time too long. This study also shows that the Nakamoto protocol equipped with
Ironclad outperforms the original one regarding the expected adversarial fork length in this random
walk model and simulation in Section 5.
Nakamoto in random walk Nakamoto in simulation
100 150 200 250 300 350 400 450 5003
3.5
3.86
4
3.27
3.65
3.88 3.9
4.04
3.14
3.53
3.82 3.84
3.96
θ
adversarialfork
length
with Ironclad in random walk with Ironclad in simulation
Fig. 8: This figure depicts the tradeoff between θ and the expected adversarial fork length. The dashedbrown and green lines are the expected adversarial fork length of the original Nakamoto in theory andsimulation, respectively.
Figure 9 shows the distributions of adversarial fork length for different weight parameters. It
is observable that a larger θ also worsens the tail probabilities of adversarial fork length. The two
results together illustrate the trade-off between security and confirmation time: a larger θ leads to
a better security threshold but longer confirmation time. The intersection points of tail probabilities
for the original and upgraded protocols are (43, 2.9 × 10−5) and (20, 5.67 × 10−4) for θ = 100 and
θ = 500, respectively. Indeed, the tail probabilities of Ironclads are worse than that of the original
Nakamoto protocols. However, the required length where the upgraded one becomes worse is quite
large and infrequent to confront in practice.
20
0 10 20 30 40 50 60
10−5
10−4
10−3
10−2
10−1
Adversarial fork length
Probab
ility
original Nakamoto
Nakamoto+Ironclad(θ = 100)
Nakamoto+Ironclad(θ = 500)
Fig. 9: This graph depicts the probability for an execution of Nakamoto and the upgraded Nakamoto tosustain a fork of a particular length.
5 Numerical Experiments
Our result (Figure 1) about adversarial tolerance is based on the analysis of consistency Theo-
rem 3.1, which shows a significant improvement on the consistency bound by Ironclad. Introducing
iron blocks will also affect other properties of blockchain consensus. This section aims to provide
numerical experiments on estimations and comparisons to show the efficacy of Ironclad.
5.1 Setup
We simulate a fully connected network with 1000 honest miners and network delay bound ∆ = 1013
time slots. In the simulation, the adversary has a much lower network delay, maintains its own
private chains, and releases its blocks at proper time to prevent the convergence of honest miners
as described in Section 3.1.
We measure the performance in different adversarial mining power proportions ρ and block
generating rates p normalized by the network delay ∆. In each parameter setting, we keep θ = 500
and set corresponding q to be the optimal value using the theoretical results in Section 4.1. For
example, when we set ρ = 0.25, p = 0.5 blocks per ∆ time slots, the optimal q = 0.02475 for
θ = 500.
5.2 Measurement
In the numerical experiments, we focus on the following four key performance metrics.
• Chain quality. We calculate the proportions of honest blocks in the heaviest chain. A larger
proportion means that honest miners can obtain more rewards (e.g., coinbase and transaction
fee, determined by the application level setting of the system). We also calculate the honest
21
Nakamoto+Ironclad (by weight) Nakamoto+Ironclad (by number)
Nakamoto Security threshold of Nakamoto
0 0.1 0.2 0.3 0.40
0.2
0.4
0.6
0.8
1
(a) adversarial mining power proportion ρ
Chainquality
1100
150
120
110
14
12
1 2 4 10 25 501000
0.2
0.4
0.6
0.8
1
(b) block generating rate p
Chainquality
0 0.1 0.2 0.3 0.40
0.2
0.4
0.6
0.8
1
(c) adversarial mining power proportion ρ
Quality-growth
1100
150
120
110
14
12
1 2 4 10 25 501000
10
20
(d) block generating rate p
Quality-growth
Fig. 10: Chain quality and Quality growth comparison with varying adversarial proportion and blockgenerating rate in a single chain. The values of quality-growth, confirmation time and block generatingrates are normalized by the network delay ∆.
Security threshold of Nakamoto Nakamoto+Ironclad (95th percentile) Nakamoto (median)
Nakamoto+Ironclad Nakamoto Nakamoto (95th percentile) Nakamoto+Ironclad (median)
0 0.1 0.2 0.3 0.40
0.1
0.2
0.3
(a) adversarial mining power proportion ρ
Agreementduration
ratio
1100
150
120
110
14
12
1 2 4 10 25 501000
0.2
0.4
0.6
0.8
(b) block generating rate p
Agreementduration
ratio
0 0.1 0.2 0.3 0.4
100
102
104
(c) adversarial mining power proportion ρ
Con
firm
ationtime
1100
150
120
110
14
12
1 2 4 10 25 50100
100
101
102
103
(d) block generating rate p
Con
firm
ationtime
Fig. 11: Agreement duration ratio and confirmation time comparison with varying adversarial proportionand block generating rate in a single chain. The unbounded values of Nakamoto consensus in (c) and (d)are omitted.
proportion by weight, since iron blocks may be assigned more rewards due to their large
weights and higher difficulty in applications. (see Figure 10)
• Quality growth. We calculate the growth rate of honest blocks in the heaviest chain, both
by number and by weight. For comparison, we normalize the weight growth rate by the
expected block weight which varies according to the parameters q and θ. (see Figure 10)
• Agreement duration ratio. When all honest parties agree on the heaviest chain due to an
agreement block, such agreement will last a while until new forks occurs. We calculate the
proportion of such periods during the total running time of the execution. (see Figure 11)
• Confirmation time. We count the time for each block from production to confirmation by
all honest parties. We report the median and 95% percentile of the confirmation time for all
blocks in the simulation horizon. (see Figure 11)
5.3 Single Chain: Nakamoto v.s. Nakamoto+Ironclad
The theoretical results established in Section 3.1 show that more adversarial mining power is re-
quired to break convergence when Nakamoto consensus is equipped with our method. We conduct
comparisons in a wide range of ρ and p to show the efficacy.
Note that there exists a security threshold of Nakamoto consensus (see Figure 1) that indicates
the maximum adversarial tolerance and block generating rate. When adversarial mining power
22
proportion ρ is too large or the block generating rate p is too high, honest parties cannot reach
an agreement with overwhelming probability. In our experiments of Nakamoto consensus, the
performance metrics become either 0 (e.g., chain quality) or unbounded (e.g., confirmation time)
when the parameters violate the security threshold. We plot a dashed line in each figure to show
this security threshold and omit the unbounded values. Note that Nakamoto+Ironclad has a much
larger consistency region in terms of ρ and p.
Varying adversarial mining power proportion. In this group, we fix g = 1 block per ∆
time slots and vary the adversarial mining power fraction (ρ = 0, 0.05, 0.1, . . . , 0.45). As shown
in Figures 10 and 11, overall, the performance of Nakamoto+Ironclad outperforms the original
Nakamoto,especially when ρ is large. 1) Ironclad can help tolerate more adversarial mining power.
The security threshold (dashed line in Figures 10 and 11) indicates that the original Nakamoto can
only tolerate at most 0.382 adversarial fraction in this block rate, while the consistency still holds
even for ρ = 0.45 with our method, and our theoretical bound is 0.48 (see Figure 1 when c = 1).
2) Ironclad can help to reduce the confirmation time. The general median and conservative 95th
percentile values both illustrate this fact. 3) Ironclad can achieve more robust chain performance
when adversarial mining power is not large enough. We can find that the slopes of curves of the
upgraded chain are smaller than those of the original chain when ρ < 0.35.
Note that there is a gap between the metrics (chain quality and quality-growth) measured by
number anb by weights in Figure 10 for Nakamoto+Ironclad. It indicates that the frequency of
iron blocks is larger than the randomness parameter q in the heaviest chain, which shows the effect
of iron blocks in beating competing regular blocks and finalizing current forks.
Varying block generating rate. In this group, we fix ρ = 0.25 and p varies from 0.01 to 100
blocks per ∆ time slots. As shown in Figures 10 and 11, the Nakamoto equipped with Ironclad still
outperforms the original Nakamoto protocol. The consensus properties become worse as p increases
for the original Nakamoto consensus. Interestingly, the effect of increasing p on the performance of
the Nakamoto+Ironclad is not monotone, which is caused by the generating rate of iron blocks. The
intuition is that the rate of iron blocks increases as p increases, although the corresponding optimal
q decreases. When p is small, the effect of iron blocks is not significant due to its low frequency.
As p increases, the honest iron blocks are more frequently accepted by all parties, which forces
the adversary to give up attacks since honest parties can generate more iron blocks in expectation.
When p is very large, the competition among honest iron blocks increases, allowing the adversary
to hold a heavier private chain. Therefore, the performance of chain quality and confirmation time
become worse.
6 Related Works and Potential Extension
The essence of Ironclad is to utilize randomness to enhance the desired properties. The focus of this
paper is to apply it to the original Nakamoto protocol and demonstrate how our method can lead
to better consensus performances. Based on the original idea of Nakamoto consensus, there have
been many PoW protocols leveraging different innovative ideas to achieve better performances for
various applications. Although they are pretty complicated and may depend on specific applications,
we briefly discuss some of these protocols and the potential combination with our method in this
section.
23
Decoupled consensus. Many protocols propose different types of blocks to perform different tasks.
BitcoinNG [7] proposes key blocks (for leader election) and microblocks (for carrying transactions)
to improve throughput without comprising security. FruitChains [22] introduces blocks (for leader
election) and fruits (for carrying transactions) to decrease the variance of mining rewards and
significantly reduce the need for mining pools. Prism [2] proposes voter blocks (for leader election),
transaction blocks (for carrying transactions) and proposer blocks (for packing transaction blocks)
to scale up the throughput to approach the physical limit. Our method differs from these protocols
because iron blocks are designed to resolve forks using their heavier weight to improve consistency
bound. This is independent of decoupling functions for leader election and carrying transactions.
Therefore, it is possible to apply Ironclad (with adaptation regarding implementation details) to
these protocols based on the decoupling idea to achieve better performance.
High forking protocols. Simply increasing the block rate will cause more frequent forks and
sacrifice security. GHOST [31] replaces the longest chain rule with the heaviest subtree rule to
tolerate forks. Miners keep track of a tree of blocks instead of a chain and append blocks to
the heaviest subtree that is measured by the total number of blocks in it. A series of protocols
[16, 17, 10, 32, 33] increase reference links and propose their different rules to solve forks in the
structure of the directed acyclic graph (DAG). However, GHOST and Conflux [17] is vulnerable
to the balance attack [21] in high block rate. To resist the balance attack, we can apply Ironclad
to GHOST by adaptively replacing the original number of blocks with the weights of blocks in a
subtree. Notice that the four patterns in definition 3.1 play similar roles in analyzing the consistency
of GHOST. Once pattern σ2 or σ4 occurs, honest parties have chances to figure out the heaviest
subtree at the end of the pattern. If pattern σ1 or σ3 occurs, it will be impossible for honest parties
to identify the heaviest. Hence, following the same analysis, we can extend Theorem 3.1 to GHOST
protocols: GHOST equipped with Ironclad satisfies the consistency if conditions in Theorem 3.1
are satisfied.
Another recent work GHAST [18] slows down the mining rate when detecting a divergence
of computing power. By setting a low difficulty target 2κ
ηw, GHAST assigns ηw weight to blocks
achieving this target and 0 for other blocks. This is quite similar to the idea of decoupled consensus
since blocks with 0 weight can only carry transactions when switching to this conservative strategy.
Ironclad, in contrast, can avoid the complex switching strategy by following a simple and effective
assignment rule. Furthermore, our analysis in Section 4.1 shows that the randomness parameter q
is not necessarily the reciprocal of the weight parameter θ. Our work provides general principles of
parameter selection based on an optimization problem to maximize tolerance to the adversary and
evaluating the trade-off between security and confirmation latency.
Parallel chains. Parallel chains [19, 36, 2], as special cases of DAG, run parallel Nakamoto
instances, leading to elegant and provable solutions in scaling blockchain. These protocols can
apply Ironclad to improve consensus, especially when parallel chains have weak correlations. As an
example, we apply Ironclad to OHIE [36] with ten parallel chains in the same parameter settings
(ρ, p, θ, q,∆) as the single chain case. In OHIE, a block is assigned to each parallel chain with
equal probability. Therefore, the balance attack [21] is ineffective in OHIE since the adversary
cannot concentrate its mining power on attacking a single chain, which allows us to assume that
the adversary always chooses honest trailing and behaves similarly to a single chain case. We omit
some metrics such as quality-growth because they can be regarded as the average of all single chains.
24
We study the confirmation time since constructing a global ledger relies on a shared confirmation
threshold in OHIE, which means that the number of parallel chains affects the system confirmation
time. As shown in Figure 12, the confirmation time of the parallel chains equipped with Ironclad
is less than that of original parallel chains overall. Compared with single-chain cases in Figure 11c
and Figure 11d, parallel chains have higher but similar curves, which shows the comparable efficacy
of Ironclad improving performance in parallel chains.
Ironclad + OHIE (median) Ironclad + OHIE (95th percentile) OHIE (median) OHIE (95th percentile)
0 0.1 0.2 0.3 0.4100
102
104
(a) adversarial mining power proportion ρ
Con
firm
ationtime
1100
150
120
110
14
12
1 2 4 10 25 50100
100
101
102
103
(b) block generating rate of each chain p
Con
firm
ationtime
Fig. 12: Confirmation time comparison with varying block generating rate in each parallel chain andadversarial mining power proportion in 10 parallel chains. The dashed lines correspond to Nakamotosecurity thresholds that are still effective in OHIE since each parallel instance is a Nakamoto chain.
Hybrid blockchain-BFT consensus. Some works adopt the classical ideas of Byzantine fault
tolerant (BFT) consensus to develop PoW-based blockchain protocols [1, 5, 15, 23]. These protocols
rely on the establishment of committees to achieve lower latency than Nakamoto-based protocols.
However, the adversary fraction of committees are required to be less than 13 and replenishing
committees leads to additional latency. A hybrid consensus protocol Thunderella [26] proposes
mechanisms to combine committees and the Nakamoto chain, which allows the system to switch
between optimistic and worst-case conditions to achieve low latency and large adversary tolerance.
However, even in the optimal conditions with 34 honest and online committees, a dishonest leader
will make the system enter the slow mode with the same latency as Nakamoto consensus. Our
method can still be applied to the Nakamoto part in Thunderella to enhance the ability to resist
the adversary when the system is in the slow mode for the same reason as previously discussed.
References
[1] I. Abraham, D. Malkhi, K. Nayak, L. Ren, and A. Spiegelman. Solida: A blockchain protocol
based on reconfigurable byzantine consensus. arXiv preprint arXiv:1612.02916, 2016.
[2] V. Bagaria, S. Kannan, D. Tse, G. Fanti, and P. Viswanath. Prism: Deconstructing the
blockchain to approach physical limits. In Proceedings of the 2019 ACM SIGSAC Conference
on Computer and Communications Security, CCS ’19, page 585–602, New York, NY, USA,
2019. Association for Computing Machinery. ISBN 9781450367479. doi: 10.1145/3319535.
3363213.
[3] S. Bano, A. Sonnino, M. Al-Bassam, S. Azouvi, P. McCorry, S. Meiklejohn, and G. Danezis.
Sok: Consensus in the age of blockchains. In Proceedings of the 1st ACM Conference on
25
Advances in Financial Technologies, AFT ’19, page 183–198, New York, NY, USA, 2019. As-
sociation for Computing Machinery. ISBN 9781450367325. doi: 10.1145/3318041.3355458.
[4] K.-M. Chung, H. Lam, Z. Liu, and M. Mitzenmacher. Chernoff-hoeffding bounds for markov
chains: Generalized and simplified. arXiv preprint arXiv:1201.0559, 2012.
[5] C. Decker, J. Seidel, and R. Wattenhofer. Bitcoin meets strong consistency. In Proceedings
of the 17th International Conference on Distributed Computing and Networking, pages 1–10,
2016.
[6] A. Dembo, S. Kannan, E. N. Tas, D. Tse, P. Viswanath, X. Wang, and O. Zeitouni. Everything
is a race and nakamoto always wins. Proceedings of the 2020 ACM SIGSAC Conference on
Computer and Communications Security, Oct 2020. doi: 10.1145/3372297.3417290.
[7] I. Eyal, A. E. Gencer, E. G. Sirer, and R. V. Renesse. Bitcoin-ng: A scalable blockchain
protocol. In 13th USENIX Symposium on Networked Systems Design and Implementation
(NSDI 16), pages 45–59, Santa Clara, CA, Mar. 2016. USENIX Association. ISBN 978-1-
931971-29-4.
[8] J. A. Garay, A. Kiayias, and N. Leonardos. The bitcoin backbone protocol: Analysis
and applications. In EUROCRYPT (2), pages 281–310. Springer, 2015. doi: 10.1007/
978-3-662-46803-6 10.
[9] P. Gazi, A. Kiayias, and A. Russell. Tight consistency bounds for bitcoin. In Proceedings of
the 2020 ACM SIGSAC Conference on Computer and Communications Security, CCS ’20,
page 819–838, New York, NY, USA, 2020. Association for Computing Machinery. ISBN
9781450370899. doi: 10.1145/3372297.3423365.
[10] J. He, G. Wang, G. Zhang, and J. Zhang. Consensus mechanism design based on structured
directed acyclic graphs. Blockchain: Research and Applications, page 100011, 2021. ISSN
2096-7209. doi: https://doi.org/10.1016/j.bcra.2021.100011.
[11] A. Kiayias and G. Panagiotakos. On trees, chains and fast transactions in the blockchain.
In International Conference on Cryptology and Information Security in Latin America, pages
327–351. Springer, 2017.
[12] A. Kiayias, N. Lamprou, and A.-P. Stouka. Proofs of proofs of work with sublinear complexity.
In J. Clark, S. Meiklejohn, P. Y. Ryan, D. Wallach, M. Brenner, and K. Rohloff, editors,
Financial Cryptography and Data Security, pages 61–78, Berlin, Heidelberg, 2016. Springer
Berlin Heidelberg. ISBN 978-3-662-53357-4.
[13] A. Kiayias, A. Russell, B. David, and R. Oliynykov. Ouroboros: A provably secure proof-
of-stake blockchain protocol. In Annual International Cryptology Conference, pages 357–388.
Springer, 2017.
[14] L. Kiffer, R. Rajaraman, and a. shelat. A better method to analyze blockchain consistency. In
Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security,
CCS ’18, page 729–744, New York, NY, USA, 2018. Association for Computing Machinery.
ISBN 9781450356930. doi: 10.1145/3243734.3243814.
26
[15] E. K. Kogias, P. Jovanovic, N. Gailly, I. Khoffi, L. Gasser, and B. Ford. Enhancing bitcoin
security and performance with strong consistency via collective signing. In 25th usenix
security symposium (usenix security 16), pages 279–296, 2016.
[16] Y. Lewenberg, Y. Sompolinsky, and A. Zohar. Inclusive block chain protocols. In International
Conference on Financial Cryptography and Data Security, pages 528–547. Springer, 2015.
[17] C. Li, P. Li, W. Xu, F. Long, and A. C.-c. Yao. Scaling nakamoto consensus to thousands of
transactions per second. arXiv preprint arXiv:1805.03870, 2018.
[18] C. Li, F. Long, and G. Yang. Ghast: Breaking confirmation delay barrier in nakamoto consen-
sus via adaptive weighted blocks, 2020.
[19] W. Martino, M. Quaintance, and S. Popejoy. Chainweb : A proof-of-work parallel-chain
architecture for massive throughput. 2018.
[20] S. Nakamoto. Bitcoin: A peer-to-peer electronic cash system, 2009. URL
http://www.bitcoin.org/bitcoin.pdf.
[21] C. Natoli and V. Gramoli. The balance attack against proof-of-work blockchains: The r3
testbed as an example, 2016.
[22] R. Pass and E. Shi. Fruitchains: A fair blockchain. In Proceedings of the ACM Symposium
on Principles of Distributed Computing, PODC ’17, page 315–324, New York, NY, USA, 2017.
Association for Computing Machinery. ISBN 9781450349925. doi: 10.1145/3087801.3087809.
[23] R. Pass and E. Shi. Hybrid consensus: Efficient consensus in the permissionless model. In 31st
International Symposium on Distributed Computing (DISC 2017). Schloss Dagstuhl-Leibniz-
Zentrum fuer Informatik, 2017.
[24] R. Pass, L. Seeman, and A. Shelat. Analysis of the blockchain protocol in asynchronous
networks. In Annual International Conference on the Theory and Applications of Cryptographic
Techniques, pages 643–673. Springer, 2017.
[25] J. Poon and T. Dryja. The bitcoin lightning network: Scalable off-chain instant payments,
2016.
[26] P. Rafael and S. Elaine. Thunderella: Blockchains with optimistic instant confirmation. In
Annual International Conference on the Theory and Applications of Cryptographic Techniques,
pages 3–33. Springer, 2018.
[27] L. Ren. Analysis of nakamoto consensus. IACR Cryptol. ePrint Arch., 2019:943, 2019.
[28] P. R. Rizun. Subchains: A technique to scale bitcoin and improve the user
experience. Ledger, 1:38–52, Dec. 2016. doi: 10.5195/ledger.2016.40. URL
https://ledger.pitt.edu/ojs/ledger/article/view/40.
[29] S. M. Ross, J. J. Kelly, R. J. Sullivan, W. J. Perry, D. Mercer, R. M. Davis, T. D. Washburn,
E. V. Sager, J. B. Boyce, and V. L. Bristow. Stochastic processes, volume 2. Wiley New York,
1996.
27
[30] Y. Sompolinsky and A. Zohar. Accelerating bitcoin’s transaction processing. fast money grows
on trees, not chains. IACR Cryptol. ePrint Arch., 2013:881, 2013.
[31] Y. Sompolinsky and A. Zohar. Secure high-rate transaction processing in bitcoin. In R. Bohme
and T. Okamoto, editors, Financial Cryptography, volume 8975 of Lecture Notes in Computer
Science, pages 507–527. Springer, 2015. ISBN 978-3-662-47853-0.
[32] Y. Sompolinsky and A. Zohar. Phantom. IACR Cryptology ePrint Archive, Report 2018/104,
2018.
[33] Y. Sompolinsky, Y. Lewenberg, and A. Zohar. Spectre: A fast and scal-
able cryptocurrency protocol. Cryptology ePrint Archive, Report 2016/1159, 2016.
https://eprint.iacr.org/2016/1159.
[34] Y. Sompolinsky, S. Wyborski, and A. Zohar. Phantom and ghostdag: A scalable gen-
eralization of nakamoto consensus. Cryptology ePrint Archive, Report 2018/104, 2018.
https://eprint.iacr.org/2018/104.
[35] Q. Wang, J. Yu, S. Chen, and Y. Xiang. Sok: Diving into dag-based blockchain systems.
CoRR, abs/2012.06128, 2020. URL https://arxiv.org/abs/2012.06128.
[36] H. Yu, I. Nikolic, R. Hou, and P. Saxena. Ohie: Blockchain scaling made simple. In 2020
IEEE Symposium on Security and Privacy (SP), pages 90–105, 2020. doi: 10.1109/SP40000.
2020.00008.
28
.1 Proofs of results in Section 3
.1.1 Computation of Pattern Length
The following are four types of patterns defined in Section 3.1.
1. σ1 : h||0k , k < ∆,
2. σ2 : h||0k , k ≥ ∆,
3. σ3 : H||0, hk , k ≤ ∆,
4. σ4 : H||0, h∆ ||0∗.
Let Y and Z be the geometric random variables with mean 1ph
and 1qH
, respectively.
• For E[σ1]:
The expected number of symbol ‘0’ in σ1 is E[Y − 1|Y < ∆] so the expected length is
E[Y |Y < ∆]. As a result of total expectation formula,
E[Y ] = E[Y |Y < ∆]P(Y < ∆) + E[Y |Y ≥ ∆]P(Y ≥ ∆).
By the memerylessness property of geometric distribution,
E[Y |Y ≥ ∆] = ∆+ E[Y |Y ≥ 0] = ∆ +1
ph,
and
P(Y ≥ ∆) =∞∑
k=∆
(1− ph)kph = (1− ph)
∆.
Solving for the above equation, we get
E[σ1] = E[Y |Y < ∆] =1
ph−
∆(1− ph)∆
1− (1− ph)∆.
• For E[σ2]:
Similarly, apply the memorylessness property:
E[σ2] = E[Y |Y ≥ ∆] = ∆+ E[Y |Y ≥ 0] =1
ph+∆.
• For E[σ3]:
The expected number of symbol ‘0’ in σ3 is E[Z − 1|Z < ∆] so similiarly as E[σ1],
E[σ3] = E[Z|Z < ∆] =1
qH−
∆(1− qH)∆
1− (1− qH)∆.
• For E[σ4]:
The computation process is the same as E[σ2].
29
.2 Analysis of the Semi-Markov chain
.2.1 The Expressions for Expected Edge Length
l00 =P(σ2)E[|σ2|]+P(σ4)E[|σ4|]
P(σ2)+P(σ4)l01 = E[|σ1|] l02 = E[|σ3|]
l10 =P(σ2)E[|σ2|]+P(σ4)E[|σ4|]
P(σ2)+P(σ4)l11 = E[|σ1|] l12 = E[|σ3|]
l20 = E[|σ4|] l21 = 0 l22 = E[|σ3|]
.2.2 Stationary Distribution of the Embedded Markov chain
π0 =1
qH+qh(1−qH )∆(qH(1− qH)∆ + qh(1− qH)∆(1− ph)
∆)
π1 =1
qH+qh(1−qH )∆(qh(1− qH)∆(1− (1− ph)
∆))
π2 =1
qH+qh(1−qH )∆(qH(1− (1− qH)∆))
.2.3 Proof of Lemma 3.1
Proof. We deal with each term in the expression in turn. For simplification, it suffices to
consider the first part, and other terms can be computed similarly.
#L(S0σ2−→ S0)
L=
#LS0
L·#Le00#LS0
·#L(S0
σ2−→ S0)
#Le00.
We compute the limit for each factor. First, we can regard each visit to the state S0 as a renewal.
It is because the intervals between each renewal are i.i.d. random variables that only depend on
the states of the Markov chain. We use µii to denote the expected transition time between two
consecutive visits of Si, then the renewal theorem yields
#LS0
L
a.s.−−→
1
µ00.
#Le00#LS0
is the frequency of visiting edge e00. Since the embedded Markov chain is ergodic, the
state S0 will be visited infinite times. Apply strong law of large numbers(SLLN):
#Le00#LS0
a.s.−−→ P00.
For the third expression, similarly, #L(S0
σ2−→S0)#Le00
converges to the probability that condition on a
visit of the edge e00, the visit is caused by σ2. The patterns are drawn independently, so the value
isP(σ2)
P(σ2) + P(σ4).
Therefore,
#L(S0σ2−→ S0)
L
a.s.−−→
P00P(σ2)
µ00[P(σ2) + P(σ4)].
30
The second and third term in α can be decomposed similarly:
θ#L(S0
σ4−→S0)L = θ#LS0
L · #Le00#LS0
· #L(S0
σ4−→S0)#Le00
a.s.−−→ θP00P(σ4)
µ00[P(σ2)+P(σ4)],
andθ#L(S1
σ4−→S0)L = θ#LS1
L · #Le10#LS1
· #L(S1
σ4−→S0)#Le10
a.s.−−→ θP10P(σ4)
µ11[P(σ2)+P(σ4)].
Hence, the existence of α has been proved, and the definition is well-defined. We can compute α
from this expression in terms of ph,∆, θ. The theorem in [29] shows
1
µ00=
π0∑2
i=0 πiµi
,1
µ11=
π1∑2
i=0 πiµi
.
Combining the results above, we get
α = π0P00P(σ2)
[P(σ2)+P(σ4)]∑
2
i=0πiµi
(
1− π2P20∑2
i=0πiPi0
)
+θ π0P00P(σ4)+π1P10P(σ4)
[P(σ2)+P(σ4)]∑
2
i=0πiµi
where µi denotes the expected time that the semi-Markov process stays in state Si before making
a transition and µi =∑2
j=0 Pij lij .
.2.4 Proof of Lemma 3.2
Proof. Consider k transitions in the Markov chain and L denotes the total time slots of k transitions.
From the proof of Lemma 3.1, we can know that it suffices to prove the concentration bound for#L(S0
σ2−→S0)L = k
L ·#LS0
k · #L(S0
σ2−→S0)#LS0
.
By applying the Chernoff bound for #Le00#LS0
and #L(S0
σ2−→S0)#Le00
, we have
P
(
#L(S0
σ2−→S0)#LS0
≤ (1−δ1)P00P(σ2)P(σ2)+P(σ4)
)
≤ exp(−c1δ21P(σ2)P00/(P(σ2) + P(σ4))),
where c1 is a constant independent of the random variables.
Let K be the ǫ-mixing time for the embedded chain, with ǫ < 18 . Applying the Theorem .1, we
can obtain a concentration bound for visiting the state S0:
P(#LS0 ≤ (1− δ2)kπ0) ≤ c2 ‖φ‖π e−δ2
2kπ0/(72K).
The time spent on each edge is a sub-exponential random variable. Let Zi be the i-th transition
31
time so L =∑k
i=1 Zi and
P(L ≥ (1 + δ3)k∑
i=1
EπZi) ≤ c3e−c4δ3k,
where c3, c4 are independent with k, and EπZi =∑2
j=0 πjµj.
Hence, conditioning on the event
#L(S0σ2−→ S0) ≤ (1− δ1)#LS0
P00P(σ2)P(σ2)+P(σ4)
∪ #LS0 ≤ (1− δ2)kπ0 ∪ L ≥ (1 + δ3)∑k
i=1 EπZi,
choose δ such that 1− δ = (1−δ1)(1−δ2)1+δ3
so
αL < (1− δ)α.
Take the union bound:
P(αL < (1− δ)α) = exp(−Ω(δk)).
The results shows that the probability of underestimating the consensus difficulty rate is negligible
in k, the number of patterns in the given rounds.
In order to express this bound in terms of L, consider the concentration bound for L:
k∆ < L < (1 + δ3)k
2∑
j=0
πjµj
with overwhelming probability in k. Hence, L = Θ(k) with high probability and
P(αL < (1− δ)α) = exp(−Ω(δL)).
.2.5 Proof of Lemma 3.3
Proof. The probability for ‘h’ to appear in each time slot is qh Conditioning on pattern σ4, the
number of symbol ‘h’ Y follows a binomial distribution with parameters ∆ and qh/(1 − qH). We
can obtain the inequality by applying the Chernoff’s inequality to Y .
.2.6 Proof of Theorem 3.2
Proof. The ratio
R = (1−qH)∆
ph(qh+θqH)(1−ph)2∆
[
q2h(1− ph)2∆ + qhqH(1− ph)
∆(1− qH)∆ + θphqH(1− qH)∆]
.
which is a fractional linear function. If we want to show the monotonicity of fractional linear
function f(x) = ax+bcx+d , we only need to compare the values of a
c and bd , and
ac < b
d indicates the
increasing property of R in θ.
32
It suffices to showq2h(1−ph)
2∆+qhqH(1−ph)∆(1−qH )∆
qh< phqH(1−qH )∆
qH:
q2h(1−ph)
2∆+qhqH(1−ph)∆(1−qH )∆
qh
< qh(1− ph)2∆ + qH(1− ph)
∆
< qh(1− ph)∆ + qH(1 − ph)
∆
= ph(1− ph)∆
< ph(1− qH)∆
= phqH(1−qH )∆
qH.
Therefore, R is increasing in θ. Let θ = 1, and thus
R >(1−qH )∆[q2
h(1−ph)
2∆+qhqH(1−qH )∆(1−ph)∆+phqH(1−qH )∆]
p2h(1−ph)2∆
> (1−qH )∆[phqh(1−ph)2∆+phqH (1−qH)∆]
p2h(1−ph)2∆
Apply the weighted power mean inequality to the RHS:
(1−qH )∆[phqh(1−ph)2∆+phqH(1−qH )∆]
p2h(1−ph)2∆
= qhph(1− qH)∆ + qH
ph(1−qH1−ph
)2∆
≥[
qhph(1− qH) + qH
ph(1−qH1−ph
)2]∆
≥[
qhph(1− qH) + qH
ph(1−qH1−ph
)]∆
.
It remains to prove qhph(1− qH) + qH
ph
(
1−qH1−ph
)
≥ 1 if we want to show R > 1. As
qhph(1− qH) + qH
ph· 1−qH1−ph
= (1−qH )(1−qh)(1−ph)
= 1−ph+qhqH1−ph
> 1,
we conclude the proof.
.2.7 The Expression of A and Approximation Method
The exact expression for the tolerance ratio is
A = (1−qph)∆
(θ−1)q+1 [(1− ph)2∆(q − 1)2
+(1− ph)∆q(1− q)(1− qph)
∆ + θq(1− qph)∆].
Though A has an analytical expression, it is hard to obtain a closed-form expression of q∗. We can
apply numerical methods such as Newton’s iteration to find q∗. In order to analyze the relationship
between two parameters, we approximate the object function A by ignoring some terms with small
values in A. Since (1− ph)2∆(q− 1)2 < (1− qph)
∆ and (1− ph)∆q(1− q)(1− qph)
∆ < q(1− qph)∆,
we can ignore these terms for large θ (e.g., θ > 100). Now, we can define the lower bound A for A:
A :=θq(1− qph)
2∆
(θ − 1)q + 1, (9)
33
0 0.2 0.4 0.6 0.8 1
0.2
0.4
0.6
0.8
q (randomness parameter)
A(A
dversarytolerance
ratio)
0 1,000 2,000 3,000 4,000 5,0000.000
0.050
0.100
0.150
θ (weight parameter)
q∗(O
ptimal
random
nessparam
eter)
0 1,000 2,000 3,000 4,000 5,000
0.800
0.850
0.900
0.950
θ (weight parameter)
A∗ θ(M
axim
alad
versarytolerance
ratio)
Fig. 13: ∆ = 1013, ph = 7.5× 10−14 in each figure. The first figure is a theoretical curve of adversarytolerance ratio A with the case θ = 100. The second figure shows the decreasing trend of optimal q in θ.The third figure is the maximal adversary tolerance ratio for each θ. The curves in the second and thirdgraphs are results of approximation method while the sampled points are obtained by maximizing A.
which has a unique solution to the new optimization problem:
q∗ = argmaxq∈(0,1)
A.
.2.8 Proof of Theorem 4.1
Proof. 1. Regard A as the single variable function of q. As A is continuous in [0, 1], it must have
a maximizer in [0, 1]. It suffices to show ∂A∂q
∣
∣
q=1< 0 and ∂A
∂q
∣
∣
q=0> 0 to rule out the case that the
maximizer is the endpoint of [0, 1].
Then∂A
∂q
∣
∣
∣
∣
q=0
= θ[1− (1− ph)2∆] + (1− ph)
∆[1− (1 + ∆ph)(1 − ph)∆]
is positive and
∂A
∂q
∣
∣
∣
∣
q=1
=1
θ(1− ph)
2∆−1[−2∆phθ + (1− ph)(1− (1− ph)∆)]
is negative.
Clearly, θ[1 − (1 − ph)2∆] > 0 and 1 − (1 + ∆ph)(1 − ph)
∆ ≥ 0 as a result of the function
f(x) = (1 + nx)(1− x)n ≤ 1 for x ∈ [0, 1] and n ≥ 1. Hence, ∂A∂q
∣
∣
q=0> 0.
For the second inequality, the Bernoulli inequality shows that (1− ph)∆ > 1−∆ph. Combining
the fact that θ > 1, we obtain
∂A
∂q
∣
∣
∣
∣
q=1
< −1
θ(1− ph)
2∆−1(1 + ph)ph∆ < 0
Since the derivative ∂A∂q is continuous in (0, 1), the function will have a nontrivial maximizer in
(0, 1).
34
2. Let ∂A∂q = 0 and solving the equation, we obtain
q∗(θ) =−ph(2∆ + 1) +
√
p2h(2∆ + 1)2 + 8∆ph(θ − 1)
4∆ph(θ − 1).
The monotonicity of q∗(θ) follows directly from the above expression.
3. It is observable that A is increasing in θ. Therefore, it is straightforward that A∗θ is increasing
in θ.
.3 Chain Properties
.3.1 Proof of Lemma 3.4
Proof. At the time slot t, each honest player will try to extend a path whose weight is at least
W(Ft−∆), because at time t−∆, the heaviest path has weight W(Ft−∆) and after ∆ rounds, every
honest party will hold a chain with weight at least W(Ft−∆).
Let τ denote the time interval such that
τ = mint′ :W(Ft+t′−∆) ≥ W(Ft−∆) + (1− q) + qθ,
then E[τ ] ≤ 1ph
+ ∆. The expected weight of a block is (1 − q) + qθ, and the expected time to
produce a block for honest parties is 1ph. Therefore, after ∆ time slots, each honest party will hold
a chain with weight at least W(Ft+τ−∆) at time t + τ . Then we conclude that in the sense of
expectation, one will extend a block to the heaviest chain in Ft with time interval at most 1ph
+∆.
Then for S rounds, the heaviest chain will increase weight at least
Sph1− q + qθ
1 + ph∆,
and this indicates W(Ft+S−∆) ≥ Sph1−q+qθ1+ph∆
in the sense of expectation. We finish the proof by
applying the Hoeffding’s inequality:
W(Ft+S−∆)−W(Ft−∆) ≥ (1− δ)Sph1− q + qθ
1 + ph∆
with probability 1− eΩ(−Sδ2).
Remark .1 From the proof of the Lemma 3.4, we can see the bound for E[τ ] is loose for some cases.
When ph ≈ 1, E[τ ] is much less than ∆. Therefore, the chain growth rate derived in the Lemma 3.4 is
not tight. Theoretically, the chain growth rate u should be larger than the consensus rate α, because
there are a proportion of weights from the blocks which do not lead to consensus in the heaviest chain.
However, u is less than α for specific parameters, e.g., ph = 2× 10−13,∆ = 1013, q = 0.02, θ = 500.
Lemma .1 Let Dt denote the cumulative weights of blocks mined by adversary parties during t
35
time slots, then for any δ > 0,
P(Dt > (1 + δ)pat(1− q + qθ)) ≤ exp(−Ω(δ2t)).
Proof. WLOG, we can assume the beginning time slot is 1. Let random variable Xi denote the
weights contributed by the adversary at slot i ∈ [t]. The probability mass function of Xi is
P(Xi = 1) = qa,P(Xi = θ) = qA,P(Xi = 0) = 1− pa.
Since Xi is a bounded random variable, then
P(Dt ≥ (1 + δ)tpa(1− q + qθ))
= P(∑t
i=1Xi ≥ (1 + δ)tE[Xi])
≤ exp(−Ω(δ2t)),
where the last inequality is directly from the Hoeffding’s inequality.
.3.2 Proof of Lemma 3.5
Suppose S ⊂ Ct−∆ starts with an honest block B whose label is t1 and the cumulative weight
of S is D, then it suffices to show that the weight contributed by adversary blocks is at most
(1 + δ)( paph + pa∆)D in S with high probability for every δ > 0.
Since B is honest, then we have W(Ct1) ≤ W(Ft1) according to the definition of the maximal
honest subfork. Thus, by Lemma .3.1, for every δ1 > 0, the chain growth rate of the this segment
is at least (1− δ1)ph1−q+qθ1+ph∆
except with probability exp(−Ω(δ21D)). Then
t−∆− t1 ≤D(1 + ph∆)
(1− δ1)(1− q + qθ)ph.
By Lemma .1, for every δ2 > 0, the weights contributed by adversary blocks in the time interval
are upper bounded by
(1 + δ2)pa(t−∆− t1)(1− q + qθ) ≤(1 + δ2)(
paph
+ pa∆)D
(1− δ1)
except with probability e−Ω(δ21D) + e
−Ω(δ22
1−δ1D)
.
For a given δ > 0, we can select a δ1 and let 1 + δ = 1+δ21−δ1
, so the fraction of the cumulative
weights contributed by adversary parties are at most (1 + δ)( paph + pa∆) except with probability
exp(−Ω(δ2D)).
.4 Related Material
Theorem .1 ([4]) Let M be an ergodic Markov chain with state space [n] and stationary distribu-
tion π. Let T be its ǫ-mixing time for ǫ < 1/8. Let (V1, V2, · · · , Vt) denote a t-step random walk on
M staring from an initial distribution φ on [n]. For every i ∈ [t], let fi : [n]→ [0, 1] be a weighted
function at step i such that the expected weight Eπ[fi(v)] = µ for all i. Define the total weight of
36
the walk (V1, V2, · · · , Vt) by X =∑t
i=1 fi(Vi). There exists some constant c (which is independent
of µ,δ, and ǫ) such that
1. P(X ≥ (1 + δ)µt) ≤ c ‖φ‖π exp(−δ2µt/(72T )) for 0 ≤ δ ≤ 1,
2. P(X ≥ (1 + δ)µt) ≤ c ‖φ‖π exp(−δµt/(72T )) for δ > 1,
3. P(X ≤ (1− δ)µt) ≤ c ‖φ‖π exp(−δ2µt/(72T )) for 0 ≤ δ ≤ 1,
where ‖φ‖π is the π-norm of φ given by∑
i∈[n] φ2i /πi.
Lemma .2 f(x) = (1 + nx)(1− x)n ≤ 1 for x ∈ [0, 1] and n ≥ 1.
Proof.
f ′(x) = −n(n+ 1)x(1 − x)n−1 ≤ 0,
so f(x) ≤ f(0) = 1 for n > 1. As for n = 1, f(x) = 1− x2 < 1.
Lemma .3 (Weighted Power Mean Inequality) Assume ai, bi and pi, i = 1, 2, · · · , k are pos-
itive numbers. For m > n, then
(
∑ki=1 pia
mi
∑ki=1 pi
)1
m
≥
(
∑ki=1 pia
ni
∑ki=1 pi
)1
n
.
The equality holds iff ai = bi for i = 1, 2, · · · , k.
Theorem .2 (McDiarmid’s Inequality) Let X1, · · · ,Xn be independent random variables, where
Xi has range Xi. Let f : X1×· · ·×Xn → R be any function with the (c1, · · · , cn)-bounded differences
property: for every i = 1, · · · , n and every (x1, · · · , xn), (x′1, · · · , x
′n) ∈ X1 × · · · × Xn that differ
only in the i-th corodinate (xj = x′j for all j 6= i ), we have
|f(x1, · · · , xn)− f(x′1, · · · , x′n)| ≤ ci.
For any t > 0,P(f(X1, · · · ,Xn)− E[f(X1, · · · ,Xn)] ≥ t)
≤ exp(
− 2t2∑n
i=1c2i
)
.
37